10.6 kB gzipped · iOS 14 + AdBlock safe
Traqly
LEGAL

Data Processing Agreement (DPA)

Last updated: 2026-05-16

Draft template: This is a working draft modelled on the EU SCCs (2021/914) and GDPR Art. 28. A signable PDF will be provided by the operating entity on request from any customer on a paid plan.

1. Parties

This DPA is entered between the customer (the Controller) and Traqly (the Processor). It governs the processing of personal data by Traqly on behalf of the Controller in the context of the Services described in the Terms of Service.

2. Subject matter & duration

Subject matter: server-side capture, identity stitching and forwarding of website visitor events to ad platforms. Duration: term of the Controller's active subscription plus 30 days for deletion.

3. Nature, purpose & categories

Nature: automated processing of pseudonymized identifiers for marketing attribution. Purpose: attribution analytics, conversion forwarding, AI-driven optimization recommendations. Categories of data subjects: website visitors, customers, leads.

4. Categories of personal data

  • Online identifiers (cookie ID, browser fingerprint, click IDs)
  • Truncated IP, full IP for ≤ 7 days for fraud detection
  • Hashed email and phone (SHA-256) when supplied by the visitor
  • Page URLs, referrers, user-agent strings
  • Event metadata: timestamps, transaction values, product identifiers

5. Sub-processors

Traqly engages the sub-processors listed in our Privacy Policy. New sub-processors will be announced 30 days in advance; the Controller may object in writing.

6. Security (Art. 32)

  • TLS 1.2+ in transit
  • At-rest encryption for all production databases
  • bcrypt cost-12 for passwords, AES-256-GCM for stored API keys
  • Role-based access control with least-privilege defaults
  • Daily off-site backups with 30-day retention
  • Centralized audit log of administrative actions

7. Assistance with data-subject rights

Traqly provides API endpoints and a self-service interface for the Controller to exercise data-subject rights (export, deletion, restriction). Forwarding of deletion requests to connected ad platforms (Meta, Google, TikTok) is supported.

8. International transfers

Production data is stored in the EU (German data centers). Transfers to non-EU sub-processors (e.g. Anthropic, US) are governed by the EU Standard Contractual Clauses (2021/914) and supplementary measures.

9. Audit rights

On reasonable notice and at the Controller's cost, the Controller may audit our compliance with this DPA, no more than once per 12 months. We may satisfy audit requirements through a SOC 2 Type II report (planned, not yet available).

10. Liability & signing

Liability mirrors the Terms of Service. Customers on paid plans can request a countersigned PDF version of this DPA from [email protected].